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UNITED STATES PATENT AND TRADEMARK OFFICE 



Re: Application of: 

Serial No.: 

International 
Application No.: 

Filed: 
For: 



Tobias MARTIN et al. 
To Be Assigned 

PCT/EPOO/06510 
Herewith 

METHOD FOR ESTABLISHING A COMMON KEY 
FOR A GROUP OF AT LEAST THREE SUBSCRIBERS 



BOX PCT 

Asst. Commissioner for Patents 
Washington, D.C. 20231 

February 11,2002 

PRELIMINARY AMENDMENT 

Sir: 

Applicants request that the following Amendments be made in the above T identified 
matter prior to examination thereof: 

IN THE DRAWINGS 

Please add new Fig. 1 as submitted herewith. 

IN THE SPECIFICATION 

Before paragraph [0001], please change the heading "Specification" to — 
BACKGROUND-. 

Please amend paragraph [0001] as follows: 



[0001 ] The present invention relates to a method for establishing a common key within a group 
of subscribers using a publicly known mathematical group and a publicly known element of the 
group. 

Please amend paragraph [0005] as follows: 

[0005] A difficulty of the DH-key exchange lies in that Alice does not know whether she 
actually communicates with Bob or with a cheater. In the IPSec-Standards of the Internet 
Engineering Task Force (IETF RFC 2412: The OAKLEY Key Determination Protocol), this 
problem is solved by using public key certificates in which the identity of a subscriber is 
combined with a public key by a trust center. In this manner, the identity of an interlocutor 
becomes verifiable. 

Page 3, please insert paragraphs [0011.1] and [0011.2] as follows: 
--[0011.1] Known from Menezes et al: "Handbook of applied cryptography" 1997 CRC Press. 
Boca Raton (US) XP002152150 is a method for establishing a common key involving at least 
three subscribers. In this design approach, a group member (chair) is defined from whom all 
activities originate. The selection of common key K lies solely with the chair. Subsequently, 
common key K is sent from the chair to every group member on the basis of the Diffie-Hellman 
keys determined in pairs, respectively. Thus, common key K is always just as good as it has 
been selected by the chair. 

[001 1 .2] In Lennon R E et Al: "Cryptographic key distribution using composite keys" 
Birmingham, Alabama, DEC.3-6, 1978, New York. IEEE, US Vol. CONF. 1978, December 3 rd , 
1978 (1978-12-03), pp. 26101-261 16-6. XP002098158, a key exchange method is described 
which is limited to two subscribers. In this design approach, each subscriber generates his/her 
own random number and sends it to the other subscriber in encrypted form. The common key is 
then determined by each subscriber from the own random number and the encrypted random 
number received from the other subscriber, using a symmetrical function (EXC-OR).-. 

Page 4, before paragraph [0014] please insert the heading -SUMMARY OF THE 
EMVENTION— . 

Please amend paragraph [0014] as follows: 



2 



[0014] An object of the present invention is to provide a method for generating a common key 
within a group of at least three subscribers. The intention is for the method to be designed in 
such a manner that it stands out over the known methods by a small computational outlay and a 
small communication requirement (few rounds even in the case of many subscribers). At the 
same time, however, it is intended to have a comparable security standard as the DH method. 
The method has to be easy to implement. Information on the structure of the group should not 
be required for carrying out the method. 

Page 4, please insert paragraph [0014.1] as follows: 
--[0014.1] The present invention provides a method for establishing a common key for a group 
of at least three subscribers. The method comprises: 

generating by each subscriber Ti of the at least three subscribers a respective message Ni 
= (g zl mod p) from a publicly known element g of large order of a publicly known mathematical 
group G and a respective random number zi and sending the respective message from the 
respective subscriber to all other subscribers Tj of the at least three subscribers, each respective 
random number zi being selected or generated by the respective subscriber Ti; 

generating by each subscriber Ti a transmission key k ,J from the messages Nj received 
from the other subscribers Tj, j * i, and the respective random number zi according to k ,J : = Nj zl = 

sending by each subscriber Ti the respective random number zi in encrypted form to all 
other subscribers Tj by generating the message Mij according to Mij := E(k IJ , zi), E(k 1J , zi) being 
a symmetrical encryption algorithm in which the data record zi is encrypted with the 
transmission key k 1J ; and 

determining a common key k by each subscriber Ti using the respective random number 
zi and the random numbers zj, j * i, received from the other subscribers according to 

k: = f(zl, zn), 

f being a symmetrical function which is invariant under a permutation of its arguments.--. 

Before paragraph [0022], please insert the following: the heading —BRIEF 
DESCRIPTION OF THE DRAWING-; paragraph [0021.1] as follows: 

-[0021 . 1] Fig. 1 shows a flow chart of a method for establishing a common key within a group 
of subscribers.— ; 
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the heading --DETAILED DESCRIPTION—; and paragraph [0021.2] as follows: 
[0021 .2] Referring to Fig. 1, in a method according to the present invention for establishing a 
common key within a group of subscribers, by each subscriber Ti of the at least three subscribers 
a respective message Ni = (g zl mod p) is generated from a publicly known element g of large 
order of a publicly known mathematical group G and a respective random number zi and the 
respective message is sent from the respective subscriber to all other subscribers Tj of the at least 
three subscribers (see block 102). Each respective random number zi is selected or generated by 
the respective subscriber Ti. Then, by each subscriber Ti a transmission key k 1J is generated 
from the messages Nj received from the other subscribers Tj, j * i, and the respective random 
number zi according to k ij : = Nj zl = (g?f (see block 104). By each subscriber Ti the respective 
random number zi is sent in encrypted form to all other subscribers Tj by generating the message 
Mij according to Mij := E(k 1J , zi), E(k ij , zi) being a symmetrical encryption algorithm in which 
the data record zi is encrypted with the transmission key k 1J (see block 106). Finally, a common 
key k is determined by each subscriber Ti using the respective random number zi and the 
random numbers zj, j * i, received from the other subscribers according to k: = f(zl, zn), f 
being a symmetrical function which is invariant under a permutation of its arguments (see block 
108).-. 

Please amend paragraph [0026] as follows: 
[0026] A variant of the method is to assign a special role to one of subscribers Tl-Tn for the 
execution of the second method step. If this role is assigned, for example, to subscriber TI, then 
method steps 2 and 3 or b and c are executed only by subscriber TI . In fourth method step d, all 
subscribers Tl-Tn involved in the method compute common key k according to the assignment 
k: = h(zl, g 22 , g 2 "), it being required for (xl, x2, xn) to be a function which is symmetrical 
in arguments x2, ... xn. This variant drastically reduces the number of messages to be sent. An 
example of such a function g is, for instance, 

k:=h(zl,g z2 ,...,g zn ) = g zlzl -g z2zl ... g 21121 . 

Page 9, please delete the heading "METHOD FOR ESTABLISHING A COMMON KEY 
FOR A GROUP OF AT LEAST THREE SUBSCRIBERS". 

Page 9, first line change "(2) What is claimed is" to -WHAT IS CLAIMED IS-. 
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IN THE CLAIMS : 

Please cancel claiml as presented in the underlying International Application No. 
PCT/EP00/06510 and cancel revised claims 1-2 annexed to the International Preliminary 
Examination Report, and add new claims 3-6 as follows: 

—3. (new) A method for establishing a common key for a group of at least three subscribers, 
the method comprising: 

generating by each subscriber Ti of the at least three subscribers a respective message Ni 
= (g 21 mod p) from a publicly known element g of large order of a publicly known mathematical 
group G and a respective random number zi and sending the respective message from the 
respective subscriber to all other subscribers Tj of the at least three subscribers, each respective 
random number zi being selected or generated by the respective subscriber Ti; 

generating by each subscriber Ti a transmission key k 1J from the messages Nj received 
from the other subscribers Tj, j * i, and the respective random number zi according to k 1J : = Nj zl = 

(gT; 

sending by each subscriber Ti the respective random number zi in encrypted form to all 
other subscribers Tj by generating the message Mij according to Mij := E(k ,J , zi), E(k ,J , zi) being 
a symmetrical encryption algorithm in which the data record zi is encrypted with the 
transmission key k 1J ; and 

determining a common key k by each subscriber Ti using the respective random number 
zi and the random numbers zj, j * i, received from the other subscribers according to 

k: = f(zl, zn), 

f being a symmetrical function which is invariant under a permutation of its arguments. 

4. (new) The method as recited in claim 3 wherein the transmission key k ,J is known to 
subscriber Tj according to k !J = k JI . 

5. (new) A method for establishing a common key for a group of at least three subscribers, 
the method comprising: 

generating by each subscriber a respective message Ni = (g 21 mod p) from a publicly 
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known element g of large order of a publicly known mathematical group G and a respective 
random number zi and sending the respective message by each subscriber except a 
predetermined first subscriber Tl of the at least three subscribers to the first subscriber Tl, each 
respective random number zi being selected or generated by the respective subscriber Ti; 

encrypting by the first subscriber Tl the received messages Nj of the other subscribers 
Tj, j * 1, with the random number zl to form a respective transmission key k lj for each 
subscriber Tj ; 

sending by the first subscriber Tl the random number zl to all other subscribers Tj in 
encrypted form by generating a message Mlj according to Mlj := E(k lJ , zl), E(k lj , zl) being a 
symmetrical encryption algorithm in which the random number zl is encrypted with the 
transmission key k Ij ; and 

determining a common key k by each subscriber Ti using the values Ni and Nj, j * i, and 
the random number zl sent by the first subscriber Tl in encrypted form using 

ki^hCzUg 22 ,...^), 
h (xl, x2, xn) being a function which is symmetrical in the arguments x2, xn. 

6. (new) The method as recited in claim 5 wherein the key is known to subscriber Tj 

according to k lj = k jl .~. 

IN THE ABSTRACT : 

Please replace the abstract of record with the new abstract submitted herewith as a 
separate sheet. 

REMARKS 

New Fig. 1 is submitted herewith for the Examiner's consideration. The application has 
been amended to place the application in proper format and correct errors. It is respectfully 
submitted that the claims have not been narrowed. It is respectfully submitted that no new 
matter has been added. 
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Applicants believe that no fees are due as a result of this amendment. In the event of a 
fee discrepancy, please charge our Deposit Account No. 50-0552. 

Respectfully submitted, 

DAVIDSON, DAVIDSON & KAPPEL, LLC 

By \MdC C , 




William C. Gehris 
Reg. No. 38,156 



Davidson, Davidson & Kappel, LLC 
485 Seventh Avenue - 14 th Floor 
New York, New York 10018 
(212) 736-1940 



"Express Mail" mailing label no EL 914449536 US 
Date of deposit February 1 1 , 2002 

I hereby certify that this correspondence and/or fee is being 
deposited with the United States Postal Service "Express Mail 
Post Office to Addressee" service under 37 CFR 1 10 on the 
date indicated above in an envelope addressed to "Commissioner 
of Patents and Trademarks, Washington, DC 20231" 

DAVIDSON, DAVIDSON & KAPPEL, LLC 

BY: ^ L' 
Samuel Gomez 
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Abstract 

A method for establishing a common key for a group of at least three subscribers includes using 
a publicly known mathematical number group and a higher order element of the group g e G. In 
the first step, a message corresponding to Ni: = g zl mod p is sent by each subscriber to all other 
subscribers (Tj), (zi) being a random number chosen from the set (1, p-2) by a random 
number generator. In the second step, each subscriber (Ti) selects a transmission key kij: = (g ZJ ) zl 
for each other subscriber (Tj) from the received message (g 2 - 1 ), with i + j, for transmitting their 
random number (zi) to the subscribers (Tj). In the third step, the common key k is calculated as 
k: = f(zl, z2, zn) for each subscriber Ti. 
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Application of: Tobias MARTIN et al. 
International Application No. PCT/EP00/06510 
Filed Herewith 



[520.1007] 



VERSION OF AMENDMENTS 
WITH MARKINGS TO SHOW CHANGES MADE 

IN THE SPECIFICATION: 

Pagel, heading before paragraph [0001]: [Specification] -Background-. 
Page 1, paragraph [0001]: 

[0001] The present invention relates to a method for establishing a common key within a group 
of subscribers [according to the definition of the species in the independent claim] using a 
publicly known mathematical group and a publicly known element of the group . 

Page 1, paragraph [0005]: 

[0005] [The] A difficulty of the DH-key exchange lies in that Alice does not know whether she 
actually communicates with Bob or with a cheater. In the IP Sec- Standards of the Internet 
Engineering Task Force (IETF RFC 2412: The OAKLEY Key Determination Protocol), this 
problem is solved by using public key certificates in which the identity of a subscriber is 
combined with a public key by a trust center. In this manner, the identity of an interlocutor 
becomes verifiable. 

Page 4, paragraph [0014]: 

[0014] [The method according to] An object of the present invention [has to be suitable] is to 
provide a method for generating a common key within a group of at least three subscribers. The 
intention is for the method to be designed in such a manner that it stands out over the known 
methods by a small computational outlay and a small communication requirement (few rounds 
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even in the case of many subscribers). At the same time, however, it is intended to have a 
comparable security standard as the DH method. The method has to be easy to implement. 
Information on the structure of the group should not be required for carrying out the method. 

Page 6, paragraph [0026]: 

[0026] A variant of the method is to assign a special role to one of subscribers Tl-Tn for the 
execution of the second method step. If this role is assigned, for example, to subscriber Tl, then 
method steps 2 and 3 or b and c are executed only by subscriber Tl. In fourth method step d, all 
subscribers Tl-Tn involved in the method compute common key k according to the [equation] 
assignment k: = h(zl, g z2 , g 2 "), it being required for (xl, x2, xn) to be a function which is 
symmetrical in arguments x2, ... xn. This variant drastically reduces the number of messages to 
be sent. An example of such a function g is, for instance, 

k: = h(zl, g z \ g 2 ") = g zl zl • g 2221 ... g 2 " 21 . 

Page 9, heading: [METHOD FOR ESTABLISHING A COMMON KEY FOR A GROUP OF 
AT LEAST THREE SUBSCRIBERS]. 

Page 9 first line : -WHAT IS CLAIMED IS-- [(2) What is claimed is]. 

IN THE ABSTRACT: 

Please amend the abstract as follows: 
[The inventive method is based on] A method for establishing a common key for a group of at 
least three subscribers includes using a publicly known mathematical number group and a higher 
order element of the group g e G. In the first [work] step, a message corresponding to Ni: = g zl 
mod [p)] p is sent by each subscriber to all other subscribers (Tj), (zi) being a random number 
chosen from the set (1, p-2) by a random number generator. In the second [work] step, each 
subscriber (Ti) selects a transmission key kij: = (g^) 21 for each other subscriber (Tj) from the 
received message (g^), with i + j, for transmitting their random number (zi) to the subscribers 
(Tj). In the third [work] step, the common key k is calculated as k: = f(zl, z2, zn) for each 
subscriber Ti. 
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METHOD FOR ESTABL IS HING A C OMMON KEY FOR A GROT I P OF AT LEAST 

THB£E_SUBSCR1BERS 



Specification 

[0001] The present invention relates to a method for establishing a common key within a 
group of subscribers according to the definition of the species in the independent claim. 

[0002] Encryption methods of varied types belong to state of the art and increasingly have 
commercial importance. They are used for sending messages over commonly accessible 
transmission media, but only the owners of a cryptokey being able to read these messages in 
plain text. 

[0003] A known method for establishing a common key over unsecure communication 
channels is, for example, the method by W. Diffie and W. Hellmann (see DH-Method W. 
Diffie and M. Hellmann, see New Directions in Cryptography, IEEE Transaction on 
Information Theory , IT-22(6): 644-654, November 1976). 

[0004] The basis of the Diffie Hellmann key exchange (DH-key exchange) is the fact that it 
is virtually impossible to compute logarithms modulo a large prime number p. In the 
example depicted below, Alice and Bob make use of this in that they each secretly select a 
number x or y, respectively, which are smaller than p (and relatively prime to p-1). Then, 
they (successively or simultaneously) send each other the x th (or y< h ) power modulo p of a 
publicly known number a. They are able to compute a common key K: = cc xy mod p from the 
received powers by another exponentiation modulo p with x or y, respectively. An attacker 
who sees only a x mod p and <x y mod p cannot compute K therefrom. (The only method for 
this which is known today would be to initially compute the logarithm, for example, of cc x to 
base a modulo p, and to subsequently exponentiate oc y therewith.) 
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Alice Bob 

secretly selects x a x 



a y secretly selects y 



generates K: = (cc*)* = ce xy generates K: = (a x ) y = a xy 

Example of the Diffie-Hellmann key exchange 

[0005] The difficulty of the DH-key exchange lies in that Alice does not know whether she 
actually communicates with Bob or with a cheater. In the IPSec-Standards of the Internet 
Engineering Task Force (IETF RFC 2412: The OAKLEY Key Determination Protocol), this 
problem is solved by using public key certificates in which the identity of a subscriber is 
combined with a public key by a trust center. In this manner, the identity of an interlocutor 
becomes verifiable. 

[0006] The DH-key exchange can also be carried out using other mathematical structures, 
for example, with finite bodies GF (2 n ) or elliptical curves. Using these alternatives, it is 
possible for the performance to be improved. However, this method is only suitable to agree 
upon a key between two subscribers. 

[0007] Several attempts have been made to extend the DH method to three or more 
subscribers (group DH). An overview of the related art is offered by M. Steiner, G. Tsudik, 
M. Waidner in Diffie-Hellmann Key Distribution Extended to Group Communication, Proc. 
3 rd ACM Conference on Computer and Communications Security, March 1996, New Delhi, 
India. 

[0008] An extension of the DH method to subscribers A, B and C is described, for example, 
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by the following table (the calculation is in each case mod p): 



Subscriber A;B;C 


A- B 


B - C 


C - A 


1 st round 


g a 


g b 


g c 


2 nd round 






g bc 



[0009] Subsequent to carrying out these two rounds, each of the subscribers is able to 
compute secrete key g abc mod p. 

[0010] Known from Burmester, Desmedt, A secure and efficient conference key distribution 
system, Proc. EUROCRYPT'94, Springer LNCS, Berlin 1994 is, moreover, a design approach 
in which two rounds are required for generating the key, it being necessary to send n 
messages of length p = approx. 1000 bits for n subscribers in the second round. 

[0011] Further relevant design approaches are known from M. Burmester and Y. Desmedt, 
Efficient and secure conference key distribution, Cambridge Workshop on Security Protocols, 
Springer LNCS 1 189, pp 1 19-129 (1996). However, it is assumed here that secure channels 
already exist between the subscribers. 

[0012] In all of these extensions, at least one of the following problems occurs: 

• The subscribers have to be organized in a specific fashion; in the above 
example, for instance, as a circle, that is, a structure of the subscriber group must 
previously be known. 

• If a central unit is used to coordinate the key agreement, then the subscribers 
have no influence on the selection of the key with respect to this central unit. 

• The number of rounds depends on the number of subscribers. 

For the above reasons, these methods are generally difficult to implement and require 
considerable computational outlay. 
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[0013] The further development of the DH method to a public key method is known from T. 
EIGamal "A Public Key Cryptosystem and a Signature Scheme Based on Discrete 
Logarithms.", IEEE Transactions on Information Theory, July 1985. 

[0014] The method according to the present invention has to be suitable for generating a 
common key within a group of at least three subscribers. The intention is for the method to 
be designed in such a manner that it stands out over the known methods by a small 
computational outlay and a small communication requirement (few rounds even in the case of 
many subscribers). At the same time, however, it is intended to have a comparable security 
standard as the DH method. The method has to be easy to implement. Information on the 
structure of the group should not be required for carrying out the method. 

[0015] The method according to the present invention which satisfies this problem 
definition is based on the same mathematical structures as the DH method and has therefore 
comparable security features. In comparison with the group DH methods proposed 
heretofore, however, it is considerably more efficient with regard to the computational outlay 
and communication requirement. 

[0016] In the following, the operating principle of the method will be explained in greater 
detail. The defined subscribers of the method are denoted by Tl-Tn and each individual, not 
specifically named subscriber is denoted by Ti. All other subscribers involved in the method 
are denoted by Tj except for the respective subscriber Ti. The publicly known components of 
the method are a publicly known mathematical group G, preferably the multiplicative group 
of all integral numbers modulo a large prime number p, and an element g of group G, 
preferably a number 0 < g < p having large multiplicative order. However, it is also possible 
to use other suitable mathematical structures for group G, for example, the multiplicative 
group of a finite body or the group of the points of an elliptical curve. In the following, the 
method will be described on the basis of the group of numbers modulo a prime number p. 

[0017] The method is based on four method steps. 
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In the first method step, a message of the form Ni = g 21 mod p is generated by each not 
specifically named subscriber Ti and sent to all other subscribers Tj, zi preferably being a 
random number from the set {1, ... p-2} selected via a random-number generator. 

[0018] In the second method step, each subscriber Ti computes a common transmission key 
k ij : = (g zj ) zi from received message g 23 for each further subscriber Tj, where i * j. Since k 1J = k 1J 
applies, subscribers Ti and Tj now know a common transmission key k 1J and can therefore 
communicate confidentially. 

[0019] In the third method step, each subscriber Ti uses transmission key k 1J to confidentially 
send his/her random number zi to the other subscribers Tj, respectively. In the process, the 
' encryption of random number zi with transmission key k lj is carried out using a symmetrical 
encryption method. This means that, upon completion of the method step, each subscriber Ti 
knows the encrypted random numbers of all other subscribers Tj in addition to his/her own 
random number so that the conditions are given for computing a common key k. 

[0020] In the fourth method step, common key k is computed according to equation 
k = f (zl, z2, zn) 

at each subscriber Ti, with f being an arbitrary symmetrical function.. In this case, symmetry 
means that the value of the function remains the same even when arbitrarily exchanging the 
arguments. Examples of symmetrical functions include 

• the multiplication in a (finite) body: k: = zl ... zn, 

• the addition in a (finite) body: k: = zl + ... +zn, 
the bitwise XOR of zi: k: = zl e... ©zn, 

• the exponentiation of g with zi: k: = g 21 211 

• countless further possibilities. 

[0021] The transmission of the messages generated in steps 1 and 2 can be carried out both 
via point-to-point connections and by broadcast or multicast. 
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[0022] In the following, the method according to the present invention will be explained in 
greater detail in the light of a concrete example for three subscribers A, B and C. However, 
the number of subscribers can be extended to an arbitrary number of subscribers. 

[0023] In this example, the length of number p is 1024 bits; g has a multiplicative order of at 
least 2 160 . 

[0024] The method according to the present invention is executed according to the following 
method steps: 

1 . Subscriber A sends Na = g 23 mod p to subscribers B and C, subscriber B sends Nb = 
g 2 * 5 mod p to subscribers A and C, and subscriber C sends Nc = g* c mod p to subscribers A and 
B. 

2. Subscriber A computes kab = Nb 23 mod p and kac = Nc za mod p. Subscribes B and C 
proceed analogously. 

3. Subscriber A sends message Mab = E(kab, za) to subscriber B and message Mac = 
E(kac, za) to subscriber C. Here, E(k, m) denotes the symmetrical encryption of the data 
record with algorithm E under transmission key k 1J . Subscribes B and C proceed analogously. 

4. Subscriber A computes common key k according to the function k = g ka kb kc . 
Subscribers B and C compute common key k analogously. 

[0025] The method described above makes do with the minimum number of two rounds 
between subscribers A, B and C. The number of rounds required for carrying out the method 
according to the present invention remains limited to two rounds even with an arbitrary 
number of subscribers Tl-Tn . 

[0026] A variant of the method is to assign a special role to one of subscribers Tl-Tn for the 
execution of the second method step. If this role is assigned, for example, to subscriber Tl, 
then method steps 2 and 3 or b and c are executed only by subscriber Tl . In fourth method 
step d, all subscribers Tl-Tn involved in the method compute common key k according to the 
relation k: = h(zl, g 22 , g 2 "), it being required for (xl, x2, xn) to be a function which is 
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symmetrical in arguments x2, ... xn. This variant drastically reduces the number of 
messages to be sent. An example of such a function g is, for instance, 

k: = h(zl, gf 2 , g 2 ") = g 21 -* 1 • g 2221 ... g 2 " 21 . 

[0027] The method according to the present invention can be advantageously used to 
generate a cryptographic key for a group of a several or at least three subscribers. 
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[0028] List of Reference Symbols 



Tl-Tn subscribers 1 through n 

Ti undefined subscriber of T 1 -Tn 

Tj undefined subscriber of Tl-Tn, different from Ti. 

N message 

Ni message of an undefined subscriber Ti 

Mab message of subscriber A to subscriber B 

G publicly known mathematical group 

g element of group G 

p large prime number 

z random number from the set (l,...p-2) selected via a random-number 

generator 

k ij ; k lj common transmission key 

k common key 

E( , ) algorithm 

m data record 

f(xl ,x2,...,xn) function symmetrical in xl,x2,...,xn. 

h(x 1 ,x2, . . . ,xn) function symmetrical in arguments x2, . . . ,xn. 

A; B; C designation of the subscribers in the exemplary embodiment 
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METHOD FOR ESTABLISHING A COMMON KEY FOR A GROUP OF AT LEAST 
THREE SUBSCRIBERS 

(2) What is claimed is: 

1 . A method for establishing a common key for a group of at least three subscribers, 
using a publicly known mathematical group G and a publicly known element of the group g e 
G of large order, 
wherein 

a) each subscriber (Ti) generates a message (Ni = g 21 mod p) from the publicly 
known element (g) of the group (G) and a random number (zi) selected or generated by 
him/her and sends it to all other subscribers (Tj), 

b) each subscriber (Ti) generates a transmission key (k lJ ) from the messages (Nj) 
received from the other subscribers (Tj, j * i) and his/her random number (zi) according to 
the function k u : = Nj 21 = (g 23 ) 21 , the key being also known to subscriber (Tj) due to the equation 

k ij = k ji , 

c) each subscriber (Ti) sends his/her random number (zi) to all other subscribers 
(Tj) in encrypted form by generating the message (Mij) according to Mij := E(k 1J , zi), with 
E(k ij , zi) being a symmetrical encryption algorithm in which the data record (zi) is encrypted 
with the common transmission key (k 1J ), and 

d) the common key (k) to be established is determined by each subscriber (Ti) 
from his/her own random number (zi) and the random numbers (zj), j # i, received from the 
other subscribers according to the equation 

k: = f(zl, zn), 

it being required for f to be a symmetrical function which is invariant under the permutation 
of its arguments. 



9 



. • j. o o i! 3" R?=i o & j. o ji p 

[520.1007] 

2. The method for establishing a common key as recited in Claim 1, 
wherein 

a) all subscribers (Ti) involved in the method send the message (Ni = g^ 1 ) they 
have generated to a subscriber such as the first subscriber (Tl) who has previously been 
determined to carry out the subsequent method step, 

b) the first subscriber (Tl) encrypts the received messages (Nj) of the other 
subscribers (Tj, j # 1) for each subscriber (Tj) individually with his/her random number (zl) 
to form in each case one transmission key (k lj ), the key being also known to the subscriber 
(Tj) due to the equation k lj = k jl , 

c) the first subscriber (Tl) sends his/her random number (zl) to all other 
subscribers (Tj) in encrypted form by generating the message (Mlj) according to Mlj := 
E(k lj , zl), with E(k lj , zl) being a symmetrical encryption algorithm in which the data record 
(zl) is encrypted with the common transmission key (k lj ), and 

d) the common key (k) to be established is determined by each subscriber (Ti) 
from the values (Ni) and (Nj), j * i, and the random number (zl) sent by the first subscriber 
(Tl) in encrypted form with the aid of the equation 

k: = h(zl,g z2 ,...,g zn ), 

with h (xl, x2, xn) being a function which is symmetrical in the arguments x2, xn. 



10 



Abstract 



1 O O ■ I- -HS 3 'B l S * in & -1 *3»£J * i 



[520.1007] 



The inventive method is based on a publicly known mathematical number group (G) and a 
higher order element of the group g e G. In the first work step, a message corresponding to 
Ni: = g 2 * mod p) is sent by each subscriber (Ti) to all other subscribers (Tj), (zi) being a 
random number chosen from the set (1, p-2) by a random number generator. In the second 
work step, each subscriber (Ti) selects a transmission key kij: = (g ZJ ) zl for each other 
subscriber (Tj) from the received message (g^), with i j, for transmitting their random 
number (zi) to the subscribers (Tj). In the third work step, the common key k is calculated as 
k: = f(zl, z2, zn) for each subscriber Ti. The inventive method can be advantageously 
used for generating a cryptographic key for a group of at least three subscribers. 
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Generate by each subscriber Ti of the at least three subscribers a 
respective^ message Ni = (g zl mod p) from a publicly known element g of 
large order of a publicly known mathematical group G and a respective 
random number zi and send the respective message from the respective 
subscriber to all other subscribers Tj of the at least three subscribers, each 
respective random number zi being selected or generated by the 
respective subscriber Ti 



/IS 



Generate by each subscriber Ti a transmission key k ,J from the messages 
Nj received from the other subscribers Tj, j * i ? and the respective 
random number zi according to k ij : = Nj" = (g ZJ ) zl 
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Send by each subscriber Ti the respective random number zi in encrypted 
form to all other subscribers Tj by generating the message Mij according 
to Mij := E(k ,J , zi), E(k ,J ? zi) being a symmetrical encryption algorithm in 
which the data record zi is encrypted with the transmission key k u 



Determine a common key k by each subscriber Ti using the respective 
random number zi and the random numbers zj, j * i 7 received from the 
other subscribers according to 

k: = f(zl, zn), 

f being a symmetrical function which is invariant under a permutation of 
its arguments 
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